Looking at the log i found that Granted authorities is assigned
ROLES_IGNORED_BY_CAS
[DEBUG,AbstractSecurityInterceptor,http-8443-Processor25] Previously
Authenticated: [EMAIL PROTECTED]:
Username: [EMAIL PROTECTED]: Username:
marissa; Password: [PROTECTED]; Enabled: true; AccountNonExpired:
true; credentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ROLES_IGNORED_BY_CAS; Password: [PROTECTED];
Authenticated: true; Details:
[EMAIL PROTECTED]: RemoteIpAddress:
127.0.0.1; SessionId: 93CEF2563D1E11366A39530E6E8706E5; Granted
Authorities: ROLES_IGNORED_BY_CAS; Credentials (Service/Proxy Ticket):
ST-2-MKRk4HEJGcnsVHhESNOKCteX0lxWKnGXISh-20; Proxy-Granting Ticket
IOU: ; Proxy List: []
Should the filterInvocationInterceptor also contain ROLES_IGNORED_BY_CAS ?
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref
local="authenticationManager"/></property>
<property name="accessDecisionManager"><ref
local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/secure/super.*\Z=ROLE_WE_DONT_HAVE
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
</value>
</property>
</bean>
Thanks.
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
